OOB on Arzedlab 🪵

Exploring Integer Overflow: libxml2 Integer Overflow, which leads to OOB

Fri, 22 Aug 2025 00:00:00 +0000

Exploring Integer Overflow: libxml2 Integer Overflow OOB

In everyday life, numbers feel endless. You can always count one higher, or subtract one more. But computers don’t work like that. Inside your machine, numbers are stored in fixed-sized containers and when you push them past their limits, strange things happen. When a calculation produces a value that’s too large or too small for its container, we get integer overflow or integer underflow.

EXIM: CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()

Mon, 26 May 2025 00:00:00 +0000

EXIM: Analysis 4.92.1-R

This is just as re-analysis to better understand, the reporter and author of there vulnerabileties is company Qualys official link: https://www.qualys.com/2021/05/04/21nails/21nails.txt

CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()

Callers of pdkim_finish_bodyhash()

main() → receive_msg() → dkim_exim_verify_finish()

dkim_exim_verify_finish() be called to verify DKIM (DomainKeys Identified Mail) signature, then calls pdkim_feed_finish() , which calls pdkim_finish_bodyhash()

DKIM (DomainKeys Identified Mail) looks like this.

Code of the function pdkim_finish_bodyhash()

...
 /* VERIFICATION --------------------------------------------------------- */
 /* Be careful that the header sig included a bodyash */

 if ( sig->bodyhash.data
 && memcmp(b->bh.data, sig->bodyhash.data, b->bh.len) == 0)
 {
 DEBUG(D_acl) debug_printf("PDKIM [%s] Body hash compared OK\n", sig->domain);
 }
 else
 {
 DEBUG(D_acl)
 {
	debug_printf("PDKIM [%s] Body hash signature from headers: ", sig->domain);
	pdkim_hexprint(sig->bodyhash.data, sig->bodyhash.len);
	debug_printf("PDKIM [%s] Body hash did NOT verify\n", sig->domain);
	}
 sig->verify_status = PDKIM_VERIFY_FAIL;
 sig->verify_ext_status = PDKIM_VERIFY_FAIL_BODY;
 }
...

Unfortunately, at line 826, sig->bodyhash.data is attacker-controlled (through a “DKIM-Signature:” mail header) and memcmp() is called without checking first that sig->bodyhash.len is equal to b->bh.len: memcmp() can read sig->bodyhash.data out-of-bounds. If the acl_smtp_dkim is set (it is unset by default), an unauthenticated remote attacker may transform this vulnerability into an information disclosure; we have not fully explored this possibility.

CVE-2019-5782 Out-Of-Bounds V8

Fri, 01 Dec 2023 13:13:13 +0500

CVE-2019-5782 | OOB V8

Research Done By Ravshan Rikhsiev (2023)

Type Of Vulnerability	Out-Of-Bounds
Security Severity	High
Effected Components	Javascript, Turbofan, Compiler
Issue Source	https://bugs.chromium.org/p/chromium/issues/detail?id=906043
Writeup Source(s)	None
Tested Version	V8 7.3.0
Vulnerable commit	18b28402118b7918512c3e5b6bc5c6f348d43564

Building

mkdir v8
cd v8
fetch v8
cd v8
# Moving into vulnerable commit
git checkout 18b28402118b7918512c3e5b6bc5c6f348d43564
# Sync depot tools
gclient sync -D
# Installing dependencies 
build/install-build-deps.sh
# Installing ninja to build
sudo apt install -y ninja-build
# Release and Debug versions of V8
tools/dev/gm.py x64.release; tools/dev/gm.py x64.debug

Incorrect optimization assumptions in V8

Turbofan is an optimizing compiler in the V8 JavaScript engine. It translates JavaScript code into highly optimized machine code for better performance. It uses various techniques, such as inlining functions, optimizing data types, and eliminating unnecessary operations, to generate efficient code. This helps improve the execution speed of JavaScript programs running in V8.